[EL] The $45M Heist from NYC ATMs - Cushman

[Jack Cushman]

I'm sympathetic in general to the idea of risk management -- that any
election system is imperfect and susceptible to attack, and perfect should
not be the enemy of the good. What gives me pause about internet voting is
that it's not really amenable to risk management, because the risk is
absolute and unquantifiable. By which I mean, there is no limit on how
large an attack can be and still succeed.

For example, consider the risk in Massachusetts, where we use paper ballots
and optical scan for the most part. I can describe attacks on this model,
such as corrupting the optical scan counts; corrupting officials to throw
out ballots; coercing absentee ballots; and designing ballots so that some
voters cast the wrong votes. But I cannot describe an attack that would
meaningfully shift the vote without being detected. Any meaningful attack
would require thousands of accomplices throughout the state including the
cooperation of opposing observers, or would be defeated by a hand recount.
So I can put a low upper bound on corruption with great confidence. And
this is true regardless of the resources brought to bear in the attack. For
example, it's interesting to consider whether you could arbitrarily rewrite
the vote count in Massachusetts without being detected, assuming you had
unlimited financial resources and unlimited human assistance from people
who were not physically in Massachusetts. I lean towards no.

By contrast, the attacks I can describe on internet voting systems are much
more powerful. For example: a zero-day exploit in the Windows Update server
that installs itself a week before the election on computers throughout
California and deletes itself afterward might allow me to control north of
50% of ballots without detection. The same might go for, oh, a zero-day
exploit in Amazon's Elastic Load Balancer, which would allow me to filter
every request and response to every voting website hosted by Amazon, which
would be most of them. So I end up with an upper bound on the number of
votes that could be modified undetectably as, oh, 50%? 75%? And a lower
bound on the resources required to pull it off of, oh, 10 people? One
person?

(By undetectably, I mean technically. Obviously at some point the
corruption would become statistically unmistakeable, although the true vote
would still be irretrievable.)

In short: we are adopting a critical vulnerability -- the power for one
person to decide the election -- where one does not currently exist. (The
Cabal notwithstanding. There is no Cabal.) Before we do that we should be
able to confidently say that the vulnerability will never be exploited. We
cannot.

I can see you've decided that the risk of the one-person scenario is
effectively zero, but it seems to me you've decided that based on a
gut-level analysis of the complexity of the task which does not translate
to computers. The virtual machines we use to build websites and the virtual
machines we use to break them are not ten times as complex as physical
machines, they are millions of times as complex. They don't contain several
layers of abstraction, they contain dozens. People who can take advantage
of that complexity are able to accomplish extraordinary things. Consider
the one guy who hacked into 400,000 internet-connected
devices<http://internetcensus2012.bitbucket.org/paper.html>
undetected,
just because he could; the teenager named Pinkie Pie who combined six
different newly-discovered
bugs<http://arstechnica.com/security/2012/05/anatomy-of-a-hack-6-separate-bugs-needed-to-bring-down-google-browser/>to
hack the near-bullet-proof Chrome browser; or the
schizophrenic programmer <http://qaa.ath.cx/LoseThos.html> who over eight
years wrote his own flight simulator in his own programming language in his
own from-scratch operating system. (To say nothing of the
absurdities<http://en.wikipedia.org/wiki/Stuxnet> that
can be pulled off by governments.) This is an area where our intuitions
about what can be accomplished by one brilliant, weird person stop being
even close to right. So are you right that there's a close to 0% chance
someone could pull it off? Maybe. Or maybe 10%. Or maybe 99%. But the idea
that you can accurately estimate the risk of this new critical
vulnerability you would introduce, that's unsupportable. So is the idea
that we might have a problem if there was *one* county to hack, but
*54 *counties
is way too many. That's not how things scale here.

Speaking of counties, I'm concerned that you would rely on heterogeneity
here. The security experience in other areas has been that, if 54 people
try to implement secure cryptographic systems, approximately 53 of them
screw it up. The only path that will even plausibly get you to a secure
voting system is to have a small number of open systems that everyone can
bang on and try to prove secure. Of course that puts you firmly in the
realm of "homogeneous enough for one dedicated person to break" -- but it's
better than "poorly implemented enough in some counties that kids screw
around with vote counts just because they're bored at school."

Maybe what I should ask is: if you compare your dream of internet voting to
the very best system you can think of that has safety characteristics more
like our current system in Massachusetts (for example, how about
vote-by-mail with a cancellation option to address coercion?), what about
your dream is so much better that it's worth accepting a safety profile
that is so much worse?

Best,
Jack


On Thu, May 16, 2013 at 5:21 PM, wjk <wjkellpro at aol.com> wrote:

> ******
> Mr. Cushman (reprinted below) has clearly stated the choices to be made
> when considering Internet voting security, as seen from within his
> interpretative framework.  But, while it must be considered, that is not
> the only way to define the Internet voting situation. Equally important, in
> my opinion, to the techno-centered point of view is the social science
> interpretation.
> ** **
> In my paper, at http://ssrn.com/abstract=2229557, I argue, inter alia,
> that attack scenarios must be addressed by individual type *and as social
> practices*, if threat realities are to be clearly understood, and
> rational threat assessments formed.  That is, both technically and as
> social practices, a DoS attack is different than a vote changing attack,
> and both are different than a tabulation changing attack. Among the
> variables to be considered are the degree of technical sophistication
> required to execute the attack, the complexity of the situation, the
> financial costs of executing the attack, the chances of being caught by law
> enforcement, and the rewards of succeeding at the attack.
> ** **
> For example, the rewards of immediate financial profit make attacks on
> financial targets appealing. But the rewards for attacking an election do
> not have the same immediacy, except for the winning candidate or party.  Highly
> sophisticated thieves can conduct their own operation; hence, the chances
> of law enforcement discovering their conspiracy are relatively limited. But
> the typical candidate and/or party elites usually lack the sophistication
> to conduct an online election crime on their own.  They have to shop
> around for experts to hire. This raises the chances of being caught; hence,
> assuming rationality, reducing the likelihood that they will attempt such a
> foolhardy crime.
> ** **
> As to the complexity of the situation, a vote tabulation attack on an
> election for the governor of California would require the penetration of
> numerous servers, not just one. Suppose California has 54 counties, some
> sharing servers, some with multiple servers, and some with one server.   The
> conspiracy would have to involve enough computer expert villains to
> simultaneously break into enough servers to engender a majority vote w/o
> raising the suspicion of local experts.
> ** **
> I’m glad Jack mentioned “paranoia” as a test for the reasonableness of an
> attack scenario.  In my judgment, the California scenario meets that
> criterion. See my paper for more discussion on such scenarios.  My
> conclusion is that, yes, life itself is a risky situation, theoretically,
> attacks can happen, but when the practicalities of online election attacks
> are considered as social practices, then the Boogey Man Mr. Jefferson and
> his ilk scream about can be seen as a cageable tiger, and the democratizing
> potential of online elections becomes worth the risk.
>
> William J. Kelleher, Ph.D.
> Political Scientist, author, speaker,
> CEO for The Internet Voting Research and Education Fund
> Email: Internetvoting at gmail.com
>  <http://tinyurl.com/IntV-Now>Blog: http://tinyurl.com/IV4All
>  <http://tinyurl.com/IV4All>Twitter: wjkno1
>
>
> ------------------------------
>
> Message: 23
> Date: Thu, 16 May 2013 11:06:35 -0400
> From: Jack Cushman <jcushman at gmail.com>
> Subject: Re: [EL] The $45M Heist from NYC ATMs - Hall
> To: wjk <wjkellpro at aol.com>
> Cc: law-election at department-lists.uci.edu
> Message-ID:
> <CAEv_OHXsfcDGSe6sgmfYN25jyqC6hGkk7BYpwAQ+xuAKeTnR4A at mail.gmail.com>
> Content-Type: text/plain; charset="windows-1252"
>
> >
> > Over the past few years nearly 100 trials of Internet voting have been
> > conducted w/o any reports of security breaches. ...
> >
>
>
> > Here is a testable hypothesis: the ones who have actually built
> successful
> > Internet voting systems believe it can be done; while the ones w/o such
> > experience are positive it can?t be done.
>
>
> This line of argument -- that internet voting has been successfully
> conducted in the past without reports of security breaches, and therefore
> "can be done" -- is not really responsive to the security concerns around
> internet voting. No one doubts that internet voting *can* be conducted in a
> *particular* election without a security breach in fact occurring. The
> technology for asking computer users their opinion and then recording that
> opinion on a large scale is well-understood. *See, e.g.,* [image: Inline
> image 1]
>
> The pessimists' claim, instead, is: internet voting cannot be conducted
> such that it is possible to prove in advance that a security breach is
> impossible, or that it is possible to prove afterward whether one has
> occurred. In order to rebut this claim, you need to show that internet
> voting can be conducted in a mathematically secure way even assuming your
> adversary controls both the client computer and the server.
>
> This is because of a number of well-understood and intractable problems in
> computer security which make it impossible to assume you have either a
> secure client computer or a secure server. For example:
>
> 1) Local infections. In the United States, approximately 30% of computers
> are infected with
> malware<
> http://www.infoworld.com/t/cyber-crime/malware-infects-30-percent-of-computers-in-us-199598
> >.
> Numbers are similar worldwide. If malware is running on your local
> computer, the *only* way you can be confident that your vote was not
> intercepted and modified is if your vote is independently communicated back
> to you on a different device; you cannot trust anything you see on your
> screen. So at a minimum, the nearly 100 tests you are referring to above
> contained only 70% reliable votes; the others could have been cast by
> botnet owners, most likely Russian organized crime. You have no way of
> knowing whether or not that in fact occurred; you must simply rely on the
> (reasonable in this case) hope that Russian organized crime had no
> incentive to interfere with the elections where internet voting was used.
>
> 2) Zero-day exploits. Any remote voting scheme will rely on a stack of
> technologies, such as SSL encryption between the browser and server, a web
> server like Apache, a server-side programming language like (but hopefully
> not) PHP, a database like (but probably not) MySQL, etc. The ones I
> mentioned are interesting because they have been used for many years on
> millions of computers handling important jobs or lots of money. And
> each<
> http://www.informationweek.com/security/vulnerabilities/serious-ssl-vulnerability-found/221600478>of
> them <http://www.cvedetails.com/cve/CVE-2010-0425/> has
> had<http://www.cvedetails.com/cve/CVE-2012-1823>vulnerabilities
> discovered <http://www.securiteam.com/exploits/5AP3G0K8VU.html> in the
> last
> few years that would allow for an attacker to subtly modify votes, either
> by interfering with messages in transit, or by remote code execution to
> modify requests and responses on the server. A well-designed system will
> include some redundancy of course, but its security claims will ultimately
> come down to "this works assuming SSL is secure and assuming Apache is
> secure" and so on. The assumption of security regarding technologies of
> that complexity has been *uniformly* proved false.
>
> "Sure," you say, "but our system will be run by experts who ensure the
> latest security updates are applied. What is the likelihood that some
> hacker has access to an Apache vulnerability no one else knows about yet?"
> And it turns out the likelihood is rather good, because there is a gray
> market selling that kind of exploit to governments around the
> world<
> http://www.slate.com/articles/technology/future_tense/2013/01/zero_day_exploits_should_the_hacker_gray_market_be_regulated.html
> >,
> with a premium on exclusivity.
>
> 3) Targeted attacks on individuals. Targeted hacking attacks can be
> incredibly sophisticated -- such as the high-profile one last
> August<
> http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/>where
> hackers combined weaknesses in Amazon and Apple's security processes
> to gain access to a Google email account for the pressing purpose of
> posting racist messages on the owner's Twitter. Another example is Chinese
> spear phishing attacks -- this first-person account by a nonprofit working
> on Taiwan issues in Washington,
> DC<
> http://www.lottaworld.com/2009/04/ghostnet-social-malware-spear-phishing-and-social-engineerin
> >,
> which had fake emails sent out under its name that were tailored to the
> sender, but that actually contained malware, is fascinating. It is simply
> unrealistic for anyone, including a security expert, to assume that they
> can protect their own computer from a concerted effort by people
> *pretending
> to be their friends and colleagues* to break in. So it is also unreasonable
> to assume that the computers of the programmers and system administrators
> running voting systems will be uncompromised.
>
> 4) Hardware attacks. Like, I don't know, back doors added to microchips by
> overseas manufacturers<
> http://www.schneier.com/blog/archives/2012/05/backdoor_found.html>.
> This gets into the realm of paranoia, but we're only talking about a few
> machines that need to be compromised at the hardware level, so there are
> plausible physical attacks here.
>
> I am not aware of a way to prove, for a particular system, either in
> advance that none of these attacks are possible, or afterward that none of
> them has occurred.
>
> --
>
> OK so: all of this is getting at the fundamental weakness that internet
> voting rests the entire outcome of your election on a few hundred physical
> devices running astronomically complex software and, by definition,
> accessible from anywhere in the world. In order to be comfortable with that
> situation, you need a protocol where: (1) you assume that users' computers
> are compromised by malware; (2) you assume that communications between
> those computers and the servers may be modified in transit; (3) you assume
> that the server software is vulnerable to zero-day remote code execution
> exploits; (4) you assume that the administrators of the system themselves
> may be using compromised computers; and (5) you assume that the hardware
> itself may be vulnerable to sabotage. And then you need to clearly explain
> how the system will work so that *even if all of those things are true*, we
> are still quite confident that the resulting election is no less inaccurate
> than it is with current technology.
>
> Of course people are working on that -- there are a bunch of interesting
> cryptographic systems<
> http://uwspace.uwaterloo.ca/bitstream/10012/5992/1/Clark_Jeremy.pdf>that
> might allow sophisticated voters to verify that their vote was not
> corrupted on the server, without verifying what it was. And there are some
> systems <
> http://www.infsec.ethz.ch/people/michschl/material/icegov2012.pdf>that
> might even allow voters to confidently vote without trusting their own
> computers -- although they seem to rely on users going through ridiculous
> gyrations to vote, or else typing in secret numbers communicated to them by
> some separate trustworthy channel, such as mail or a phone system. These
> systems have downsides, but would at least allow us to know after the fact
> that tampering had occurred, so we could hold a new election.
>
> If what you're actually saying is: don't worry about online security,
> because I have an online voting system that is affordable, user-friendly,
> and cryptographically secure over untrusted platforms while remaining an
> improvement over existing voting methods, then that's interesting. If what
> you're saying is that you don't need to solve that problem, because teams
> of computer experts have successfully collected votes from small groups of
> people in the past without being aware of any security breaches, that
> doesn't get you very far.
>
> Best,
> Jack
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://webshare.law.ucla.edu/Listservs/law-election/attachments/20130516/7709fe03/attachment.html>